Fake Amazon UK Mail Asks You to Verify Your Account After “Breach”

There is an Amazonphishing scam currently making rounds, so you better keep an eye on your inboxes, assuming your spam traps haven’t picked up on this one yet. And much like majority of phish campaigns, this one also begins with an email. The samples we retrieved all originated from the Linode server (24.236.39.51).

click to enlarge

From: Amazon <notify@ukamazonverify[DOT]co[DOT]uk>
To: {recipient's email address}
Subject: You have [1] new message
Message body:
IMPORTANT NOTICE
As you may be aware on August 3rd, some of our customers accounts were compromised, resulting from data theft of
2,592 account records. This breach represents a small fraction of Amazon's total customer database, the overwhelming
majority of which are held in a secure data centre.
Although the issue is now fully resolved we ask all our customer to complete our account verification process. This will only take a few minutes and will ensure the safeguarding of your account information. Please click the link below to get started.
GET STARTED
Please Note: Failure to comply with our account verification process may lead to restrictions being placed on your account.
Best regards,
Amazon Customer Support

In case you’re not up to speed with the news, let us be the first to say that Amazon wasn’t compromised or breached last month.

The “Get Started” text is, of course, a link leading to the phishing page (screenshot below), which is at ukamazonverify[DOT]com:

click to enlarge

One must provide entries into the text boxes for the site to check, else the user won’t be able to proceed.

After text boxes have been filled out, the user is taken to another page asking for more details, which includes personally identifiable information (PII), payment card details, and account security details (screenshot below).

click to enlarge

The page then changes after clicking the Validate button to tell users to wait as this site processes all their details, complete with a “spinny” indicator to denote that indeed some semblance of data processing is taking place at the background.

click to enlarge

What users don’t realize is that they’re actually taking their cue from a GIF file, and not an actual indicator, as they wait for what happens next. In the end, they are directed to the real Amazon UK site.

ukamazonverify[DOT]com is created two days ago, along with other domains registered under a specific email address from 126[DOT]com, a popular email provider in China.

Some browsers have already flagged the domain as a potential threat, which is great. Dear Reader, when you see a similar email like the one above in your inbox, simply delete them, and don’t think too much about it.

February 11, 2019 - A roundup of security news from February 4 – 8, including Facebook's secure messaging integration, Google's changes to URLs, a scam involving the Kindle store and John Wick, and more.

February 4, 2019 - Over the weekend, we observed a clever spam campaign using bogus ebooks dressed as John Wick 3 movie files to push links to streaming sites. Can John and your ability avoid web based scams survive?

October 10, 2018 - A potentially erroneous report from Bloomberg claimed that Chinese spies were able to infiltrate US hardware supplier Supermicro, and therefore, our technology supply chain. Learn how this unverified story could ultimately come true—and what, if anything, can be done to stop it.

April 14, 2017 - On Monday, the Wall Street Journal reported a wave of hijacked Amazon seller accounts that proceeded to fleece buyers for large sums of money. As reported here, attackers would use credentials harvested from other breaches to take over the account, then either simply redirect funds to their own deposit account or create lots of fake...